ZeroFox Weekly Threat Bulletin: 06/16/2023 - 06/22/2023

ZeroFox Daily Intelligence:

ZeroFox Daily Intelligence Brief - June 22, 2023

Brief Highlights

• Apple Issues Patch To Stop “Triangulation” Spyware That Hit Kaspersky
• iOttie Reveals Credit Card Data Breach Following Site Hack
• UPS Discloses Customer Information Data Breach Used in SMS Phishing Attacks
• Vulnerabilities: CVE-2023-33933, CVE-2021-3468, and CVE-2023-31196
• Exploits: CVE-2013-1979 and CVE-2014-0038
• Breaches: Telegram: Logz_5GB[.]7z Botnet Breach, Credit Card Data Breach: 2023-6-21, and BreachForums/XSS: Learn French by Podcast Data Breach

Report: https://zerofox.com/advisories/20963

ZeroFox Daily Intelligence Brief - June 21, 2023

Brief Highlights

• VMware: Critical Bug Being Exploited in Attacks on Unpatched Devices
• New DDoS-as-a-Service Botnet "Condi" Exploits TP-Link Routers
• Critical Vulnerabilities Found in Operational Technology (OT) Products from Wago and Schneider
• Vulnerabilities: CVE-2023-31975 and CVE-2019-6502
• Exploits: CVE-2017-12617 and CVE-2017-16894
• Breaches: Telegram: SunCloudPubl[.]zip Botnet Breach and BreachForums/XSS: WarcraftRealms Data Breach

Report: https://zerofox.com/advisories/20952

ZeroFox Daily Intelligence Brief - June 20, 2023

Brief Highlights

• Clop Ransomware Breached Prominent Organizations—Over 50 Victims Named in Leaksite
• Suspected China-Based Hackers Target Government Officials and Institutions Following G7 Meeting
• Killnet Attacks Public Website of European Investment Bank via DDoS
• Vulnerabilities: CVE-2023-3320 and CVE-2023-3216
• Exploits: CVE-2019-16116 and CVE-2016-2555
• Breaches: BreachForums/XSS: Shotbow Data Breach and Credit Card Data Breach: 2023-6-19

Report: https://zerofox.com/advisories/20938

ZeroFox Daily Intelligence Brief - June 19, 2023

Brief Highlights

• Microsoft Confirms Azure and Outlook Outages Caused by DDoS attacks
• ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert Command and Control
• Eaton Resolves Security Flaw Allowing Remote Access to Thousands of Smart Alarm Systems
• Vulnerabilities: CVE-2023-35857, CVE-2023-35855, and CVE-2023-35856
• Exploits: CVE-2010-2075 and CVE-2012-5932
• Breaches: XSS: Zacks Investment Research Data Breach and BreachForums/XSS: Epic Games Data Breach

Report: https://zerofox.com/advisories/20921

ZeroFox Daily Intelligence Brief - June 16, 2023

Brief Highlights

• ZeroFox Intelligence Flash Report: Clop Ransomware Discloses New Victims Across a Wide Range of Sectors
• ZeroFox Intelligence Assesses KillNet’s Claims of Imminent Attack on Western Financial Infrastructure
• MOVEit Transfer Customers Warned of Third Flaw as New PoC Information Surfaces
• Vulnerabilities: CVE-2022-47015, CVE-2023-24038, and CVE-2023-1161
• Exploits: CVE-2015-7857, CVE-2013-0333, and CVE-2008-4397
• Breaches: BreachForums/XSS: HackGive Data Breach and Credit Card Data Breach: 2023-6-14

Report: https://zerofox.com/advisories/20902

Breach Disclosures:

Breach Disclosure: TeamExtreme

An alleged data breach at TeamExtreme – a U.S.-based minecraft discussion forum – exposed 70,591 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20964

Breach Disclosure: CoinPot

An alleged data breach at CoinPot – an Australia-based blockchain and cryptocurrency site – exposed 130,919 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20951

Breach Disclosure: Pokemon Creed

An alleged data breach at Pokemon Creed – a U.S.-based online Pokemon RPG (role-playing game) – exposed 126,349 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20950

Breach Disclosure: MediaFire

An alleged data breach at MediaFire – a U.S.-based file hosting, file synchronization, and cloud storage platform – exposed 138,664 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20949

Breach Disclosure: Frozencraft

An alleged data breach at Frozencraft – an Italy-based company that operates in the architecture and planning industry – exposed 27,651 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20948

Breach Disclosure: Forum Dvdrbase

An alleged data breach at Forum Dvdrbase – a Germany-based software discussion forum – exposed 48,236 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20947

Breach Disclosure: Hydrogen

An alleged data breach at Hydrogen – a U.S.-based global financial operating system – exposed 29,675 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20937

Breach Disclosure: Tintenprofi

An alleged data breach at Tintenprofi – a Switzerland-based company that operates in the business supplies and equipment industry – exposed 55,321 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20936

Breach Disclosure: Kurla Nagrik Sahakari

An alleged data breach at Kurla Nagrik Sahakari – an India-based bank – exposed 1,237 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20935

Breach Disclosure: Fotoboom

An alleged data breach at Fotoboom – a Spain-based digital photography and video store – exposed 89,303 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20934

Breach Disclosure: World Poker Tour

An alleged data breach at World Poker Tour – a U.S.-based internationally televised gaming and entertainment company – exposed 89,405 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20920

Breach Disclosure: Oneland

An alleged data breach at Oneland – a Russia-based search engine – exposed 97,572 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20919

Breach Disclosure: Profitech

An alleged data breach at Profitech – a Hungary-based company that deals in the trade of electronic products – exposed 88,375 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20918

Breach Disclosure: Runelite.net

An alleged data breach at Runelite.net – a U.S.-based client for old school runescape – exposed 77,905 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20917

Breach Disclosure: Singapore_combo

A combolist breach package titled “Singapore_combo" exposed 12,260 email addresses and plain-text passwords, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20916

Breach Disclosure: PvPWars

An alleged data breach at PvPWars – a U.S.-based Minecraft server – exposed 14,129 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20911

Breach Disclosure: CraftBoard

An alleged data breach at CraftBoard – a Poland-based Minecraft hosting server and discussion site – exposed 18,318 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/20909

Breaking News:

Emerging Ransomware Group 8Base Doxxes SMBs Globally

A ransomware group that operated under the radar has come to light. Since at least April 2022, 8base has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May 2023, when the group dumped data belonging to 67 organizations on the cyber underground.

See the full report here: https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally

Apple Issues Patches To Stop “Triangulation” Spyware That Hit Kaspersky

Apple has issued patches for iOS, macOS, iPadOS, and watchOS to fix three zero-day vulnerabilities that were recently abused to deploy Triangulation spyware on iPhones of Kaspersky employees.

See the full report here: https://www.pcmag.com/news/apple-issues-patch-to-stop-triangulation-spyware-that-hit-kaspersky

Chinese APT15 hackers resurface with new Graphican malware

The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named "Graphican" in a new campaign between late 2022 and early 2023. APT15, also known as Nickel, Flea, Ke3Chang, and Vixen Panda, are Chinese state hackers targeting important public and private organizations worldwide since at least 2004. The group has used various malware implants and custom backdoors throughout the years, including RoyalCLI and RoyalDNS, Okrum, Ketrum, and Android spyware named SilkBean and Moonshine.

See the full report here: https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/

UPS discloses data breach after exposed customer info used in SMS phishing

UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools and abused in phishing attacks.

See the full report here: https://www.bleepingcomputer.com/news/security/ups-discloses-data-breach-after-exposed-customer-info-used-in-sms-phishing/

APT37 hackers deploy new FadeStealer eavesdropping malware

The North Korean APT37 hacking group has been observed using a new "FadeStealer" information-stealing malware containing a "wiretapping" feature, allowing the threat actor to snoop and record from victims' microphones.

See the full report here: https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/

Exploit released for Cisco AnyConnect bug giving SYSTEM privileges

Proof-of-concept exploit code is available for a high-severity flaw in Cisco Secure Client Software for Windows (formerly AnyConnect Secure Mobility Client) that can let attackers elevate privileges to SYSTEM. Successful exploitation requires abusing what Cisco describes as a "specific function of the Windows installer process.

See the full report here: https://www.bleepingcomputer.com/news/security/exploit-released-for-cisco-anyconnect-bug-giving-system-privileges/

iOttie discloses data breach after site hacked to steal credit cards

Car mount and mobile accessory maker iOttie warns that its site was compromised for almost two months to steal online shoppers' credit cards and personal information. iOttie stated that it discovered on June 13 that its online store was compromised between April 12 2023, and June 2 with various malicious scripts.

See the full report here: https://www.bleepingcomputer.com/news/security/iottie-discloses-data-breach-after-site-hacked-to-steal-credit-cards/

Over 100,000 ChatGPT accounts stolen via info-stealing malware

​More than 101,000 ChatGPT user accounts have been stolen by information-stealing malware over the past year, according to dark web marketplace data. Researchers reports having identified over a hundred thousand info-stealer logs on various underground websites containing ChatGPT accounts, with the peak observed in May 2023, when threat actors posted 26,800 new ChatGPT credential pairs.

See the full report here: https://www.bleepingcomputer.com/news/security/over-100-000-chatgpt-accounts-stolen-via-info-stealing-malware/

Hackers infect Linux SSH servers with Tsunami botnet malware

An unknown threat actor is brute-forcing Linux SSH servers to install a wide range of malware, including the Tsunami DDoS (distributed denial of service) bot, ShellBot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner.

See the full report here: https://www.bleepingcomputer.com/news/security/hackers-infect-linux-ssh-servers-with-tsunami-botnet-malware/

Hackers warn University of Manchester students’ of imminent data leak

The ransomware operation behind a cyberattack on the University of Manchester has begun to email students, warning that their data will soon be leaked after an extortion demand was not paid. The threat actors claim to have stolen 7 TB of data from the University of Manchester during a June 6 2023 cyberattack in an email sent to students

See the full report here: https://www.bleepingcomputer.com/news/security/hackers-warn-university-of-manchester-students-of-imminent-data-leak/

Data leak at Australian law firm spooks government, business

An infosec incident at a major Australian law firm has sparked fear among the nation's governments, banks and businesses. The firm, HWL Ebsworth, has acknowledged that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data the company, The lawyers therefore hired investigators, who confirmed that "the threat actor had accessed and exfiltrated certain information on a confined part of the firm's system. The investigation reportedly revealed that over four terabytes of info were leaked.

See the full report here: https://www.theregister.com/2023/06/20/hwl_ebsworth_cyber_incident/

New Condi malware builds DDoS botnet out of TP-Link AX21 routers

A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks. AX1800 is a popular Linux-based dual-band (2.4GHz + 5GHz) Wi-Fi 6 router with 1.8 Gbps bandwidth, used primarily by home users, small offices, shops, cafes, etc. Condi aims to enlist new devices to create a powerful DDoS (distributed denial of service) botnet that can be rented to launch attacks on websites and services.

See the full report here: https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddos-botnet-out-of-tp-link-ax21-routers/

Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.

See the full report here: https://thehackernews.com/2023/06/experts-uncover-year-long-cyber-attack.html

Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems. Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability.

See the full report here: https://thehackernews.com/2023/06/zyxel-releases-urgent-security-updates.html

Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products

Three security vulnerabilities have been disclosed in operational technology (OT) products from Wago and Schneider Electric. The flaws are part of a broader set of shortcomings collectively called OT:ICEFALL, which now comprises a total of 61 issues spanning 13 different vendors.OT:ICEFALL demonstrates the need for tighter scrutiny of, and improvements to, processes related to secure design, patching and testing in OT device vendors.

See the full report here: https://thehackernews.com/2023/06/researchers-expose-new-severe-flaws-in.html

Hackers Exploit Critical Vulnerability in VMware's Aria Operations Networks

VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution.

See the full report here: https://thehackernews.com/2023/06/alert-hackers-exploiting-critical.html

Verizon warns all Android and iPhone owners over bank-emptying ‘innocent click’

VERIZON has warned all its Android and iPhone users to be on the look out for a scam that could drain their bank account. The scam reels users in through clicking on a link to a video. Once users click the link, the attackers can gain access to personal information.

See the full report here: https://www.the-sun.com/tech/8389576/verizon-social-media-phishing-iphone-android/

Chinese hackers use G7 ruse to target Australian government officials

Australia is among four countries whose government officials were targeted by suspected China-based hackers after a G7 meeting in Japan, attempting to install malicious software on their devices and steal information.

See the full report here: https://www.afr.com/technology/chinese-hackers-use-g7-ruse-to-target-australian-government-officials-20230615-p5dgqq

From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

Researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks.

See the full report here: https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html

Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems

Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. The analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed JokerSpy.

See the full report here: https://thehackernews.com/2023/06/researchers-discover-new-sophisticated.html

Android spyware camouflaged as VPN, chat apps on Google Play

Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. The malicious Android apps attributed with medium confidence to the Indian hacking group "DoNot," also tracked as APT-C-35, which has targeted high-profile organizations in Southeast Asia since at least 2018.

See the full report here: https://www.bleepingcomputer.com/news/security/android-spyware-camouflaged-as-vpn-chat-apps-on-google-play/

ASUS urges customers to patch critical router vulnerabilities

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured. As the company explains, the newly released firmware contains fixes for nine security flaws, including high and critical ones.

See the full report here: https://www.bleepingcomputer.com/news/security/asus-urges-customers-to-patch-critical-router-vulnerabilities/

Hackers use fake OnlyFans pics to drop info-stealing malware

A malware campaign is using fake OnlyFans content and adult lures to install a remote access trojan known as "DcRAT," allowing threat actors to steal data and credentials or deploy ransomware on the infected device.

See the full report here: https://www.bleepingcomputer.com/news/security/hackers-use-fake-onlyfans-pics-to-drop-info-stealing-malware/

Iowa’s largest school district confirms ransomware attack, data theft

Des Moines Public Schools, Iowa's largest school district, confirmed that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023. While the school district also received a ransom demand following the attack from an unnamed ransomware group, the ransom has not been paid. Almost 6,700 individuals whose data was affected in the resulting data breach will be contacted with details regarding what personal information was exposed.

See the full report here: https://www.bleepingcomputer.com/news/security/iowas-largest-school-district-confirms-ransomware-attack-data-theft/

A simple bug exposed access to thousands of smart security alarm systems

U.S. power and electronics giant Eaton has fixed a security vulnerability that allowed a security researcher to remotely access thousands of smart security alarm systems. The vulnerability allowed anyone to sign up as a new user and assign that account to any other group of users, including a “root” group, which has access to all of the smart alarm systems connected to Eaton’s cloud.

See the full report here: https://techcrunch.com/2023/06/16/eaton-secureconnect-security-alarm-vulnerability/

Hackers strike Iranian government, releasing presidential documents

A group of hackers working against the Iranian government have struck again, this time with a second trove of documents obtained from the highest levels of the authoritarian regime. Credit for the attack was claimed by the group calling itself “Ghiam ta Sarnegoun”, or “Rise to Overthrow”.

See the full report here: https://www.independent.co.uk/news/world/middle-east/hacking-attack-iran-raisi-shamkhani-b2359867.html

ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities. The malware, dubbed ChamelDoH, is a C++ based tool for communicating via DNS-over-HTTPS (DoH) tunneling.

See the full report here: https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.html

From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks.

See the full report here: https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html

Google targets fake business reviews network in new lawsuit

Google has filed a consumer protection lawsuit against the company Rafadigital, accusing it of creating 350 fraudulent Business Profiles and 14,000 fake reviews for an alleged business verification service for Google services.

See the full report here: https://www.bleepingcomputer.com/news/google/google-targets-fake-business-reviews-network-in-new-lawsuit/

Police cracks down on DDoS-for-hire service active since 2013

Polish police officers of the country's Central Bureau for Combating Cybercrime detained two suspects believed to have been involved in operating a DDoS-for-hire service (aka booter or stresser) active since at least 2013.

See the full report here: https://www.bleepingcomputer.com/news/security/police-cracks-down-on-ddos-for-hire-service-active-since-2013/

SMS delivery reports can be used to infer recipient's location

A team of university researchers has devised a new side-channel attack named "Freaky Leaky SMS," which relies on the timing of SMS delivery reports to deduce a recipient's location. The researchers developed an algorithm that analyzes data in these SMS responses to find the recipient's location at an accuracy of up to 96% for locations across different countries and up to 86% for two locations in the same country.

See the full report here: https://www.bleepingcomputer.com/news/security/sms-delivery-reports-can-be-used-to-infer-recipients-location/

US govt offers USD 10 million bounty for info on Clop ransomware

The U.S. State Department's Rewards for Justice program announced up to a USD 10 million bounty for information linking the Clop ransomware attacks to a foreign government.

See the full report here: https://www.bleepingcomputer.com/news/security/us-govt-offers-10-million-bounty-for-info-on-clop-ransomware/

Microsoft confirms Azure, Outlook outages caused by DDoS attacks

Microsoft has confirmed that recent outages to Azure, Outlook, and OneDrive web portals resulted from Layer 7 DDoS attacks against the company's services. The attacks are being attributed to a threat actor tracked by Microsoft as Storm-1359, who calls themselves Anonymous Sudan. The outages occurred at the beginning of June 2023, with Outlook.com's web portal targeted on June 7, OneDrive on June 8, and the Microsoft Azure Portal on June 9.

See the full report here: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-azure-outlook-outages-caused-by-ddos-attacks/

New Mystic Stealer malware increasingly used in attacks

A new information-stealing malware named "Mystic Stealer" has been promoted on hacking forums and darknet markets since April 2023, quickly gaining traction in the cybercrime community. The malware, rented for USD 150/month, targets 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications, 55 cryptocurrency browser extensions, Steam and Telegram credentials, and more.

See the full report here: https://www.bleepingcomputer.com/news/security/new-mystic-stealer-malware-increasingly-used-in-attacks/

Reddit hackers threaten to leak data stolen in February breach

The BlackCat (ALPHV) ransomware gang was behind a February 2023 cyberattack on Reddit, where the threat actors claimed to have stolen 80 GB of data from the company. In a "Reddit Files" post on the gang's data leak site, the threat actors stated that they plan on leaking the data obtained during the attack

See the full report here: https://www.bleepingcomputer.com/news/security/reddit-hackers-threaten-to-leak-data-stolen-in-february-breach/

Dodgy Microlending Apps Stalk MEA Users, Highlighting Cyber Maturity Gaps

Research emerged showing that mobile users in the Middle East and Africa are the third most-likely to install suspicious financial mobile apps — mainly in the form of apps purporting to offer microlending services, a popular practice in a region where many residents lack access to mainstream credit markets.

See the full report here: https://www.darkreading.com/dr-global/dodgy-micro-lending-apps-stalk-mea-users-cyber-maturity

Barracuda ESG zero-day attacks linked to suspected Chinese hackers

A suspected pro-China hacker group tracked as UNC4841 has been linked to data-theft attacks on Barracuda ESG (Email Security Gateway) appliances using a now-patched zero-day vulnerability. Starting on approximately October 10, 2022, the threat actors began exploiting CVE-2023-2868, a zero-day remote command injection vulnerability in Barracuda's email attachment scanning module. The vendor discovered the flaw on May 19th 2023 and immediately disclosed that the vulnerability was being exploited, with CISA publishing an alert for U.S. Federal agencies to apply the security updates.

See the full report here: https://www.bleepingcomputer.com/news/security/barracuda-esg-zero-day-attacks-linked-to-suspected-chinese-hackers/

Rhysida ransomware leaks documents stolen from Chilean Army

Threat actors behind a recently surfaced ransomware operation known as Rhysida have leaked online what they claim to be documents stolen from the network of the Chilean Army (Ejército de Chile). The leak comes after the Chilean Army confirmed on May 29 2023 that its systems were impacted in a security incident detected over the weekend on May 27 2023. The network was isolated following the breach, with military security experts starting the recovery process of affected systems.

See the full report here: https://www.bleepingcomputer.com/news/security/rhysida-ransomware-leaks-documents-stolen-from-chilean-army/

Warning: GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files

An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

See the full report here: https://thehackernews.com/2023/06/warning-gravityrat-android-trojan.html

Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.

See the full report here: https://thehackernews.com/2023/06/vidar-malware-using-new-tactics-to.html

Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Progress Software disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment.

See the full report here: https://thehackernews.com/2023/06/third-flaw-uncovered-in-moveit-transfer.html

20-Year-Old Russian LockBit Ransomware Affiliate Arrested in Arizona

The U.S. Department of Justice (DoJ) unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa.

See the full report here: https://thehackernews.com/2023/06/20-year-old-russian-lockbit-ransomware.html

ZeroFox Intelligence Reports:

ZeroFox Intelligence Cyber Threat Advisory - Ransomware & Digital Extortion Incidents Surging In Q2 2023

In this advisory, ZeroFox Intelligence provides analysis of surging ransomware and digital extortion activity in Q2 2023, including potential underlying factors that are driving the high threat.

Report: https://zerofox.com/advisories/20972

ZeroFox Intelligence Assessment - Cyber and Military Implications of the Ukrainian Counter-offensive

In this assessment of the current Ukrainian counter-offensive, ZeroFox Intelligence summarizes the current campaign, as well as projects out what various scenarios may mean for the conflict.

Report: https://zerofox.com/advisories/20962

ZeroFox Intelligence Brief - Q2 2023 Synthetic Media Update

ZeroFox Intelligence researchers address notable updates in synthetic media over the past quarter in this intelligence brief, including observations on tooling, threat actor developments, and overall threats.

Report: https://zerofox.com/advisories/20915

ZeroFox Intelligence Regional Assessment – Latin America

In this regional assessment, ZeroFox researchers establish the key geopolitical and security risks currently facing Latin America, and provide forward-looking statements on how these will likely impact the region in the coming months.

Report: https://zerofox.com/advisories/20913